Mistic Backdoor Linked to Ransomware Access Broker KongTuke in Financially Motivated Campaigns
A new stealthy backdoor named Mistic has been tied to the initial access broker KongTuke, deployed against insurance, education, IT, and professional services organizations to enable ransomware attacks.
A new backdoor dubbed Mistic has been observed in financially motivated attacks targeting organizations in the insurance, education, IT, and professional services sectors. The malware is believed to be linked to KongTuke (also known as Woodgnat), an initial access broker active since at least 2024 that specializes in compromising corporate networks and selling that access to ransomware groups, including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
Researchers at Symantec say that Mistic has been used in intrusions since April 2026. In at least one incident, it was deployed shortly after ModeloRAT, a backdoor attributed to KongTuke and delivered via social engineering attacks over Microsoft Teams. Symantec believes that Mistic is a newly developed, stealthy backdoor designed for long-term persistence in compromised networks.
The attack chain begins with the launch of the legitimate executable MpExtMs.exe to side-load a malicious DLL named version.dll, which acts as the loader of Mistic (EndpointDlp.dll). The researchers note that the filename chosen for Mistic resembles Microsoft endpoint security tooling, which may help the malware blend in with trusted software on the host. A separate .NET DLL is also loaded, which displays a fake login screen to the victim to steal their account credentials.
Once loaded, Mistic communicates with its command-and-control infrastructure and can receive commands from the operator. Capabilities include uploading, downloading, moving, renaming, deleting files, and creating folders; modifying how frequently Mistic checks for commands from the C2 server; executing code received from the C2 directly in memory; and terminating itself and deleting files from the host. According to Symantec’s analysis, Mistic appears to have been designed for stealth, enabling attackers to maintain a persistent foothold within compromised networks over extended periods. “The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself, which are features consistent with an operator seeking long-term, low-visibility access,” the researchers say.
Symantec does not provide details on how the infection begins, but KongTuke has been known to use ClickFix, and its FileFix and CrashFix variants, since early 2025 to deliver the ModeloRAT malware. In a technical report this week, cloud security company Zscaler notes that Mistic, which it tracks as MTLBackdoor, was delivered as a payload in a multi-stage ClickFix infection chain in May. Zscaler researchers say that "one of the most powerful features in MTLBackdoor is the ability to load Beacon Object Files (BOFs) to expand its capabilities." BOFs are small programs in C that can execute directly in the memory of a command-and-control (C2) process, leaving no footprint on the disk and evading detection of security agents. They are common in red team products, such as Cobalt Strike, for the post-exploitation stage.
Symantec believes that Mistic confirms the observed trend of custom tools being used in ransomware attacks, although the backdoor appears to have been developed by an initial access broker closely connected to the ransomware scene. KongTuke is known to use multiple other tools, such as the legitimate WinPython and Node.js runtimes to execute malicious code, finger.exe to retrieve obfuscated payloads, the fake NexShield browser extension, the encrypted GateKeeper .NET payload, and the MintsLoader and D3F@ck Loader malware loaders to deliver additional payloads.
Both Zscaler and Symantec reports (1, 2) provide indicators of compromise for the Mistic/MTLBackdoor malware and note that it is a stealthy tool that can expand its functionality. Organizations, particularly in the targeted sectors, should review the published IOCs and consider enhanced monitoring for side-loading techniques and unusual use of Beacon Object Files, as these indicators may help detect and disrupt early stages of intrusion before a ransomware gang is brought in.